[openstreetmap/openstreetmap-website] Add Communities page (#3301)
Andy Allan
notifications at github.com
Mon Sep 12 08:47:39 UTC 2022
@gravitystorm commented on this pull request.
> @@ -0,0 +1,17 @@
+<% content_for :heading do %>
+ <h1><%= t ".title" %></h1>
+<% end %>
+
+<p class="lead"><%= t ".lede_text" %></p>
+
+<h2><%= t ".local_chapters.title" %></h2>
+<p><%= t ".local_chapters.about_text" %></p>
+<p><%= t ".local_chapters.list_text" %></p>
+<ul>
+ <% @local_chapters.each do |chapter| %>
+ <li><a href="<%= chapter.url %>"><%= t "osm_community_index.communities.#{chapter.id}.name" %></a></li>
A supply chain XSS attack would be where something we rely on but don't control (in this case, the community index repo, and the translations therein) has nefarious html that we incorporate into our site.
But the rails translation system will automatically escape any html found in the translation strings, unless steps are taken to output the translated string in raw format (e.g. by appending `_html` to the key). So unless I'm wrong, and it which case I'd love to see a more detailed explanation, a PoC, or steps to recreate, then this is fine and no different from what we do already with our own translations.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/3301#discussion_r968147208
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/pull/3301/review/1103708425 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20220912/b2393280/attachment-0001.htm>
More information about the rails-dev
mailing list